Stale IAAS policy attachment to role
| Id | ccdf3f87-7890-4549-9d0f-8f43c1d2751d |
| Rulename | Stale IAAS policy attachment to role |
| Description | The rule detects ‘IaaS policies’ attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk. |
| Severity | Informational |
| Tactics | PrivilegeEscalation Persistence |
| Techniques | T1098 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml |
| Version | 1.0.3 |
| Arm template | ccdf3f87-7890-4549-9d0f-8f43c1d2751d.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Stale IAAS policy attachment to role"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
relevantTechniques:
- T1098
queryPeriod: 30m
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionEnabled: false
suppressionDuration: 5h
description: The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
version: 1.0.3
tactics:
- PrivilegeEscalation
- Persistence
severity: Informational
status: Available
triggerThreshold: 0
queryFrequency: 30m
alertDetailsOverride:
alertTactics: Tactics
alertDescriptionFormat: Stale IAAS policy attachment to role. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days.It is recommended to remove unused policies from identities to reduce risk.
alertnameFormat: Alert from Authomize - Stale IAAS policy attachment to role
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AnyAlert
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
groupByAlertDetails: []
groupByEntities: []
groupByCustomDetails: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
id: ccdf3f87-7890-4549-9d0f-8f43c1d2751d
customDetails:
EventName: Policy
ReferencedURL: URL
AuthomizeEventID: EventID
EventDescription: Description
EventRecommendation: Recommendation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Stale IAAS policy attachment to role"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
name: Stale IAAS policy attachment to role